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[57] ABSTRACT 

A security unit is disclosed for controlling access to a 
main computer system. The security unit provides a 
comprehensive mechanism for detecting and inhibiting 
sophisticated attackers. A method of operation and 
special purpose hardware for implementing this opera- 
tion are disclosed. 

2 Claims, 5 Drawing Sheets 
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U.S. Pat No. 4,315,101 

METHOD AND APPARATUS FOR SECURING U.S. Pat. No. 4,316,055 

ACCESS TO A COMPUTER FACILITY U.S. Pat No. 4,317,957 

U.S. Pat. No. 4,322,576 

CROSS-REFERENCE TO RELATED 5 U.S. Pat No. 4,349,695 

APPLICATIONS U.S. Pat No. 4,386,266 

This is a continuation of Sen No. 742,487 filed June 7, Pat *!<>■ 4,408,202 

1985, now abandoned European Patent Application No. 68,805 

The present application is related to the commonly- lft c PCT /Motion N* WO83/02343 
owned U.S. patent application Ser. No. 660,753, filed l0 * ■ F ™\ ***** * 11 P « ^ a 'T? 8 

Oct 15, 1984 by John R. Michener and entitled "Cryp- f 0 *?™ *** identification number 

tographic Method and Apparatus Using a Generalized for It » also known to provide per- 

Kotof* sonal passwords, such as a personal identification num- 

ber (PIN) coupled with the name of the user. It is also 
BACKGROUND OF THE INVENTION 15 known to encrypt the transmitted data using a master 

The present invention relates to a method and appara- key wWc ^ is f 0 ^ tant for * «**vdy long period (e.g., 
tus for securing the transmission of data between a re- onc mQ ^} P^™^ it is known to supply a new 
mote tenmnal and a main computer system. More par- ^ WOrd to ach remote tenmnal transac * 
ticularly, the present invention concerns a security unit - ft -p. T t c t> ♦ xt a iqc ->cc j- i 
for controlling access to a computer. facility such as a 20 ™ i?^:*! <\ ^vJ^r °f * 
data base system, electronic fund transfer system, man- « , T °[ 8 '! 

agement information system and the like. eMtypted «mg a first encryption key to give a first 

. »yow»u <uiu w uiwb. resultant. This first resultant is concatenated with a 

A major problem Oat has recently become an impor- tcrminal . gencrated n^^SS^^. 
taut public issue * the illegitimate access to computer 25 ^ten* J number is encrypted, using ase^d^cr^- 
operations and Aes Jfcmple password protection has tion ^ tQ e a ^ p^ nal X 
proven inadequate because of the relative eae with ^ aumber ^ double e J^ed £ N fa ^ to 
which passwords can be mproperiy obtamed and be- a main computer along with accounUdentification data, 
cause of the speed tot such passwords may be M- ^ aou ble encrypted number is decrypted using the 
^^^^mu^ : too herpotenti^abus. 30 secoad encryption ^ t0 ^ ^ fi^resultanfand 
ers of the system A useful, but limited^ technical solu- this ^ resu ltant is compared with the validation num- 
tion to tins problem is the callback method, wherein the ^ md the account identification data stored in the data 
potential user calls up the mam computer system from a basc of ^ main computer. 

prearranged location, self-identfies, and then breaks the Most of ^ systems disclosed in the above-noted 
connection. If the user-supplied information is accept- 35 patents ^ re i a tively complex and therefore expensive, 
able, the mam computer then calls the user back to Furthermore, these systems are subject to compromise 
make the connection. If an improper user (hereinafter by a sophisticated attacker who has tapped the transmis- 
caUed an attacker* ) attempts to use the system from a ^ line ^ broken the encryption algorithm. Under 
different location, the proper user will be notified of the condition, the attacker can simply read the next 

fact by the call back at hisAer location and will be able 40 transaction number/variable password and use this in- 
to change the password(s). Unfortunately, this system is formation to compromise the system Since the master 
not appropriate for individuals who cannot call from a key for encryption is constant for a long period of 
unique or predetermined set of numbers. Other means time— e,g., one month— the attacker will have sufficient 
must be provided to allow secure access for authorized time to compromise the system, 
users who must access the system from various public 45 

or non-unique locations. SUMMARY OF THE INVENTION 

The first question that must be answered when con- a is an object of the present invention to provide a 
sidering the question of secure computer access is: system (both method and apparatus) for securing the 
Against what threat must the system be secure? To be transmission of data between a remote terminal and a 
conservative, one must assume that potential attackers 50 main computer system to prevent unauthorized access 
of the system are (1) technically competent, (2) have to the data in, and to the operations of, a computer 
access to considerable computational resources and (3) system by an attacker who is technically competent, has 
are capable of wiretapping a user's telephone line. To unlimited computational and financial resources, and is 
prevent or restrict the damage that such attackers can willing to wiretap telephone lines to achieve his goal, 
do to a computer system places heavy demands upon 55 This object, as well as other objects which will be- 
the method and apparatus for securing access to the come apparent from the discussion that follows, are 
system achieved, according to the present invention, by means 

Countless schemes have been devised in the past to of a "security unit" associated with the remote tenninal 
secure the transmission of data between a remote termi- which implements the following procedure in gaining 
nal and a main computer system. The following patents 60 access to the main computer system: 
disclose various systems which provide access with a (a) Calling the main computer system from a local 
greater or lessor degree of security: telephone line to request access; 

U.S. Pat No. 3,781,473 (b) Transmitting, via the telephone line; 

U.S. Pat. No. 4,215,421 (i) in the clear, a first message including a security 

U.S. Pat. No. 4,268.715 65 unit identification number; 

U.S. Pat. No. 4,281,215 (u) encrypted, a second message including a per- 

U.S. Pat. No. 4,283,599 sonal identification string entered into the re- 

U.S. Pat No. 4,288,659 mote terminal by the terminal user, a first inter- 
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nal password, generated automatically by the concerning the unit identification number: either (I) it 

security unit, and the telephone number of the cannot be altered without destroying the security unit 

calling telephone; or (2) it is variable and can be set to values specified by 

(c) Awaiting and receiving a telephone callback mes- the main computer upon command by the main com- 
sage from the main computer system; and 5 puter. The second choice is appropriate if it is desired to 

(d) Upon callback, transmitting, via the telephone deny information to a potential attacker about the phys- 
line: ical location of specified security units. Such informa- 

(i) encrypted, a third message acknowledging the don could be determined by wiretapping the telephone 
callback and possibly including a second internal line(s) to the main computer and listening for the identi- 
password; and 10 fication codes transmitted to the main computer by 
(H) encrypted, a fourth message including the data security units and, thereafter, the telephone numbers 
to be transmitted from the remote terminal to the that the main computer dialed to contact these units, 
main computer system. Each security unit is preferably issued to only one 
The. callback message from the main computer sys- individual: the person entitled and authorized to use the 
tern preferably includes an enciphered instruction to 15 security unit That individual should enter a "personal 
increment the internal password generator. The next, identification string'* (such as his/her name, personal 
succeeding password will then be different from the password and/or personal identification number (PIN)) 
first password. when initial connection is attempted. If the security 
If desired, the encrypted third message including the demands, are high, each individual is preferably pro- 
second internal password can be omitted. In this case 20 vided with one or more "trap flags" in their sign-on 
the password next succeeding the first password will identification string. If a trap flag is activated, the main 
occur when a communication link is established again at computer which receives tins flag is notified that the 
some later time. security unit and/or its user have been compromised by 
In some telecommunication systems it will be possible an attacker. The main computer can then take protec- 
tor the main computer system to determine automata- 25 tive action (such as allowing access only to dummy 
cally the telephone number of the local telephone line. files) and may initiate counter measures (such as tracing 
In such cases, it is not necessary (though it may be the telephone call and notifying appropriate authori- 
desirable) for the remote terminal to transmit its tele- ties). 

phone number. With each successful access to the main computer 

As it is used hereinafter, the term "main computer 30 system, the security unit increments its automatically 

system" is intended to include not only the main com- generated internal password. In this way, the password 

puter itself but also its peripheral devices such as a is different for each calhip/callback procedure. Since it 

separate central security unit Such a security unit re- is necessary for the main computer system to know and 

moves the load from the main computer and prevents anticipate the internal password of each security unit, 

the possibility of subversion of the entire system by an 35 these passwords cannot be automatically generated as 

attacker who has access to the main computer. purely random numbers. The automatic password gen- 

This apparatus and procedure according to the pres- erator within the security unit should produce a predict- 

ent invention uses a callback system in gaming access to able password each time it is incremented, and be de- 

the main computer because such a system permits the signed so that it is resistant to cryptographic assault for 

determination of the origin of each call, thus allowing 40 its internal state. Such a device might be, for example, a 

the main computer to maintain an audit trail of all the hard-wired storage unit (ROM) . or a non-linear shift 

system users. In order to implement this callback sys- register having an appropriate feedback loop which 

tern, it is necessary to provide an electronic "key" that changes its contents. . 

is individualized and assigned to a specific user. To The use of continually changing, automatically, gen- 
serve as a check, this key must have its own unique 45 erated internal passwords renders the system secure 
identification and must include Information entered by against echo attacks , since replaying a previously suc- 
the user. cessful system access code block will not provide access 

According to the invention, the electronic "key" is to the main computer. The main computer could also 
implemented either by a separate security unit that is query the security unit on a regular basis— for example, 
individualized to a particular user, or by an individual- 50 every 60 seconds — requiring the security unit to incre- 
ized electronic key module that may be inserted in a . ment and retransmit its internal password. Routine 
fixed security unit or remote terminal. For very high reverification of the internal password renders the sys- 
security access situations, the fixed security unit could tern secure against an attacker taking over the connec- 
measure and digitize personal characteristics of the user tion once a valid user has signed on. The standard 
(fingerprint, voice, handwriting, physical characteris- 55 reverification routine may be handled within the secu- 
tics) and supply the resultant information to the main rity unit without intervention or knowledge by the user, 
computer system for verification. The security unit Finally, if the user attempts to increase the user status 
must have, a non- volatile and inaccessible memory, a within the main computer or to execute prohibited op- 
CPU (i.e., microprocessor) and a standard "smart" erations, the main computer could require a full sign-on 
modem. 60 authorization again or could flag the user as being com- 

To secure the transmission of data between the re- promised and force the user to re-establish his/her cre- 
mote terminal and the main computer, the security unit dentials through other channels, 
operates in conjunction with the remote terminal to Depending upon the type of system used to encrypt 
implement various procedures and features according the transmitted data, it may not be necessary to incre- 
to the invention. In particular, each security unit has its 65 ment the internal password on a regular basis. For ex- 
own identification number which is communicated in ample, an encryption system is disclosed in my copend- 
the clear at each attempt to connect the remote terminal ing U.S. patent application Ser. No. 660,753 filed Oct 
to the main computer system. There are two choices 15, 1984 now abandoned, referenced above, which uses 
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an everchan^ng key. A diversion attack would be pre- cafly generated password, the encryption key would 

vented by such a system since the attacker would not differ with each message but could be easily determined 

have the proper keys. by the local security unit and the main computer. If the 

The security unit includes a cryptographic unit message streams become corrupted due to noise or 
which is able to encrypt messages with a so-called "bit S deliberate scrambling in the lines, a reverification of the 
complete" block cryptographic algorithm. The material user's status — incrementing the internal passwor- 
to be encrypted is the user-specific, personal identifica- d— would reset the encryption key and resynchronize 
tion string (name of the user and the passwords entered the security unit with the main computer, 
by the user), the internal, automatically generated pass- My U.S. patent application Ser. No. 660,753 filed 
word of the security unit and the telephone number 10 Oct 15, 1984 now abandoned for "Cryptographic 
from which the user is calling. If a fixed security unit is Method and Apparatus Using a 'Generalized Rotor 1 ** 
being used to increase the security, the user information discloses generalized rotor cryptographic operators and 
determined by the unit (eg., fingerprint, voice, hand- a bit-complete substitution-permutation network system 
writing or physical characteristics of the user) should be which is well suited for the encryption needs of the 
included in the information to be enciphered in the 15 security unit If it is desired to transmit individual char- 
block. If the material being sent to the main computer acters or arbitrary short character strings, a generalized 
does not fill the block, it should be padded with random rotor substitution stream cipher can be used. If large 
noise. blocks of text are to be sent, substitution-permutation 

To recapitulate, in order to gain access to the main block codes may be used without loss of transmission 

computer system! the user first enters into the remote 20 efficiency while increasing the cryptographic security, 

terminal the appropriate text stream (personal identifi- If it is desired to use a standard encryption method, 

cation string) and the telephone number at his/her loca- such as the U.S. Government Data Encryption Stan- 

tion. The security unit associated with the remote termi- dard (DBS) System, the security can be enhanced by 

nal makes contact with the main computer and provides the use of "duplex" operation in accordance with the 

its own identification number, followed by the en- 25 invention. In this mode, one DES circuit (available as 

crypted combination of its current, internal, automati- an integrated circuit or "chip") is operated in auto-feed- 

cally generated password, the users personal identifica- back mode with its output blocks being used for the 

tion string and the telephone number (plus measured encryption keys of another DES circuit connected for 

user characteristics, if any). The security unit then block processing the text This arrangement may be 

breaks the contact and waits to receive a callback. 30 further elaborated, according to the invention, by hav- 

The main computer receives the security unit identifi- ing shift registers or still another DES circuit modulate 

cation number, looks up its internal state, calculates its the key of the encryption key generation unit 

encryption keys, decrypts the block and compares the Duplex operation is usable with any strong block 

information with what these values should be. If the code system and results in perpetually changing encryp* 

information provided is acceptable, it then calls back to 35 tion keys within any given text stream. A brute force 

the telephone number provided in the encrypted mes- attack that yields the value of any particular encryption 

sage, instructs the security unit to increment its internal key only yields the key used for a single encryption 

state and allows the appropriate communication. If block. Analysis for the "source key" is much more 

variable identification numbers are used, the main com- difficult As above, the source key would be a function 

puter also transmits the identification number to be used 40 of the internal, automatically generated password, 

for the next access of the system. yielding a system that would never identically encrypt 

The communications from the main computer to the a message. If the users of the security access control 

security unit are encrypted to prevent attackers from system are not issued the entire security unit for connec- 

learning the new identification number (if it changes) tion to a remote terminal, they must be issued more than 

and to prevent attackers from improperly calling up the 45 just the memory that contains all the codes and status 

security unit and instructing it to increment its state, information. If fixed security units were to be used with 

thus desynchronizing the main computer and the secu- the user inserting a memory block that contains all the 

rity unit codes and status information, an intelligent attacker 

While the method and apparatus of the present inven- could modify a fixed security unit to read its internal 

tion does not require any additional effort or work on 50 states and its user access codes. The attacker would 

the part of the user than is required by presently known then have free access to the network, 

systems, the effect of the system according to the inven- If the memory and the security processors are pack* 

tion is to generate password information that changes aged together in a shielded and screened unit with a 

with each access. The main computer can therefore limited number of contacts for operating the security 

maintain a record of where each call originated from, 55 unit, the internal states of this unit would be hidden 

the user who accessed it, and the time of access. En- from an attacker. Since some users would require access 

cryption of the sign-on block prevents attackers from to several main computer systems, it is necessary that 

changing the specified telephone number and inhibits security units be small and easily carried. Fortunately, 

access to the internal, automatically generated pass- the cryptographic and access functions are simple and 

words and the user text string. If re- verification is used, 60 easy to implement in hardware, 

the internal, automatically generated password is pref- If it is desired, it is possible to install a countdown 

crably encrypted before transmission to prevent a wire- circuit in the security unit that designates the amount of 

tapper from easily obtaining the previous states from access time remaining for which the user has credit 

the internal password generator. and/or authorization. The main computer could query 

A security unit of the type just described encrypts 65 the user on a regular basis— e.g., every 60 seconds— and 

communications to, and decrypts communications from require that the security unit supply its current, internal, 

the main computer system. By making the encryption automatically generated password and decrement its 

key equal to or dependent upon the internal, automati- access time counter. The access time counter could be 
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coupled to, or made part of the verification shift register FIG. 4 is a block diagram representing one technique 
to prevent tampering. If only a relatively small number for automatically generating internal passwords in the 
of accesses are needed and permitted, a stored list of security unit 

internal passwords could be used, rather than a non-lin- FIG. 5 is a block diagram representing another tech- 
ear shift register. Once the passwords are used up, the 5 nique for automatically generating internal passwords 
user would no longer have access to the main computer m ^ e security unit 

system and would have to have the security unit reset FIG. 6 is a block diagram of a cryptographic module 
and supplied with a new list of internal passwords. for « .** Ae sfT* ™*. accordmg to a first preferred 

In the preferred embodiment the security unit com- t a emtodiment of the present invention t 
prises a CPU which coordinates data flow between the 10 , FIG. 7 is a block diagram of a cryptographic module 
remote terminal and the modem connected to the tele- ( ? T J** m ^. SBCI f* ™t according to a second pro 

. .... — v^tstti. • . . .»« fcrrcd embodiment of the present invention. 

phone line^ The CPU is provided with a random access * illustrating 

memory (RAM); a read only memory (ROM); an inter- J^Ste^V operation of th^y-generating 
nal password generator and a cryptograpbc module. iS m ^^pHc module, according to a 

The generated rotor system is well suited as a cryp- ^ ferred embodiment of the present invention, 
tographic module for it can perform parallel processing FIG. 9 is a block diagram of a cryptographic module 
of both stream ciphers as well as bit-complete block fof ^ security ^ according to a fourth preferred 
ciphers. As mentioned above, a DES circuit may also be embodiment of the present invention, 
used for this function. 20 

The main computer is connected via its own modem DESCRIPTION OF THE PREFERRED 

to the modem of the security units in the field. The main EMBODIMENTS 
computer operates with software to serve the require- The preferred embodiments of the present invention 
ments of the security units. The main computer must wflj aow be described with reference to FIGS. 1-9 of 
possess a non- volatile but undatable memory for storing 25 the drawings. Identical elements in the various figures 
the appropriate information of all the users (internal are designated with the same reference numerals, 
state contents, personal identification strings, and user FIG. 1 illustrates the environment, and network to 
characteristics, if measured by a fixed security unit), all which the present invention relates. In this network a 
accessible by security unit identification number. It number of remote terminals 10 having associated porta- 
must also have a number of security processors; one for 30 ble security units and modems 12 are connected via 
each telephone line that it services in parallel. If a gener- telephone lines and a modem 13 to a main computer 
alized rotor system is used to encrypt the text] the rotor system 14 having a large data bank. Authorized users of 
contents can be common for all users of the system, or the terminals may call up information from the data 
for groups of users. bank and may even cause the information in the data 

When the main computer , is contacted by a security 35 bank to be changed, 
unit, it receives an identification number in the clear For example, the data bank may comprise the finan- 
followcd by the information supplied by the user and cial accounts of a large number of account holders in a 
the security unit Once the identification number is banking institution. Users of the remote terminals 10 
received, the main computer retrieves from its memory may obtain account information and may also transfer 
the appropriate information, decrypts the encrypted «0 funds from one account to another, 
block and compares the received information to its Obviously, it ^would be advantageous for an unautho- 
stored information. If the supplied information is ac- nzed attacker if he/she could access to the information 
ceptable, the main computer calls the user and sends an stored, and could effect transactions in the main corn- 
enciphered message allowing access to the system and x< P««- 11 » ~* attacker l ? ab f le * * P * 
tuTZZ^tv „«if t rt innr^f^i it* mwnni 45 telephone line with his/her own computer terminal 16 
instructrng the security unit to increment its mternal " disconnect a portable terminal 18 by 
state. If variable security unit identification numbers are ,. , ! JTTZ JT J 
9 , , 7 , " . , , 71 means of a switch 20 in favor of his/her own equipment 
used, the mam computer keeps lists of ktatafi- Corner option of an attackerTto captureknd use a 
cation numbers and ; supplies a new number to the secu- tmQte tennl £ al 18 md its associated security unit; how- 
nty unit for its next acces* In itms <^ this number a ever , this niisappropriation of equipment increases the 
^eluded in the encrypted block sent to the security unit of thetftacker to discovery. 
The previously used identification number is then in- v?nen an authorized user of a remote terminal 10 and 
serted in the "available for reuse" list of identification ge^ty ^ n to ca ll up the main computer, 
numbers. he/she proceeds as foUows: 

For a full understanding of the present invention, 55 ^ xhe telephone number of the main computer is 
reference should now be made to the following detailed f rom ^ rcmo te telephone; for example, in an 

description of the preferred embodiments of invention office, hotel, or the user's home. The main computer 
and to the accompanying drawings. need not know in advance the subscriber number of the 

BRIEF DESCRIPTION OF THE DRAWINGS , ^ ho J? e which ^ * ^ to ^ *e call. 

60 (2) The security umt 12 transmits a first "header" 

FIG. 1 is a block diagram showing the environment message as shown in FIG. 2 containing, at a minimum, 

of the security units according to the present invention. the following information: 

FIG. 2 is a representational diagram showing the (a) The identification number of the security unit; 
messages transmitted by a security unit, according to (b) The user's personal identification string (user's 

the present invention, to gain access to the main com- 65 name, password and/or personal identification number 

puter system. (PIN)); 

FIG. 3 is a block diagram of a security unit according (c) The subscriber number of the telephone from 

to a preferred embodiment of the invention. which the user is calling; and 



01/15/2004, EAST Version: 1.4.1 



4,802,217 

9 10 

(d) A first internal password which is automatically between the main computer and the associated remote 

generated by the security unit terminal 10 Input and output buffers are provided, as 

The user must type in the information called for in shown, to temporarily store data as it passes through the 

items (b) and (c), above. The internal password (infor- security unit. 

mation item (d)) is placed in the message and transmit- 5 The CPU 22 or control unit is operated by a program 
ted automatically. The terminal user will have no stored in the ROM 26. This program executes an al go- 
knowledge of this password rithm to perform the following tasks: 

The identification number in the first message is (l) Upon request for communications from the termi- 
transmitted "in the clear". However, all of the other nal 10, the CPU requests the telephone number of the 
information is encrypted utilizing as secure an encryp- 10 mmn computer to be contacted, the personal identifica- 
tion algorithm as possible. Advantageously, the internal tion string of the user (which is then entered by the 
password may be used to generate an encryption key. ^ ^ local telephone number (if this number is 

After transmission of the first header, the user of the not permanently stored in the RAM 24 or ROM 26). 

remote terminal terminates the telephone call fi.e., (2) The CPU requests the current internal password 

"hangs up"). Thereafter, the main computer decrypts 15 from me automatic password generator 28. 

the encrypted information in the first header and checks ^ The CPU supplies the internal password (or a 

the validity of the user's personal identification string ^fo^d product of the password) to the crypto, 

and the internally generated password. In particular, mc module 30 t0 ^ a starting ke „ 

the ^internal password must match the password associ- (4) ^ cpu feod> ^ ^ ideatifi cation string, 

ated with the specific security unit, identified by the 20 telephone number and internally generated password to 

umtstdentrfcation number the cryptographic module 30 for encipherment. 

If this inforrnataon in the first header is verified, £e (5) ^ * p £ ^ ^ ^ a entification 

main computet J*tu™ the call by calling the from ^ ^ ^ ^ ^ fa adjustable) 

telephone number identified m the header Upon call- of ^ RQM ^ {]£ ^ ^ 

back, ^e purity unit answers and may begin by a 25 ^ cpu M ^ identiflcation number m the 

"handshake'* acknowledgement; e.g by sending to the ^ encrypted personal text string, 

mam computer a second header with a second internal, . , . . y A . . F , / 

automatically generated password. Upon receipt, the tde P hone nun ** r "J "J" 1 P assword to * e 

rnak t computer checks the validity of this second pass- c ( ^ c ^back^ revived from the main computer, 

word. If verified, access is granted to the computer 30 * *r ,7 wa " uow * *° , Vr / - 77^ wunm«*» 

databank and an exchange of messages follows. ^ CT + U ***** ettCT yf ted * e mam 

The second internal password and the subsequent <? mp * er "4* ^graphic «dute 30 for decryp- 

messages transmitted between the remote terminal and * on ' ™ e CPU "P 00 * appropriately to the decrypted 

the main computer are encrypted. ^ for exam P le b V P assm S lt thr °ugh to the termmal 

An advantageous feature of the present invention is 35 ^* , T . , ^„ rT 

the use of a sequence of internal, automatically gener- . W V V™ instruction by the main computer, the CPU 

ated passwords to increase the security of access to the increments the internal password generator 28 generat- 

main computer. Even assuming that an attacker is able m S the next Password. If variable identification num- 

to decrypt the encrypted data contained in the first * ers are used for the security unit, the CPU changes the 

header, he/she will not be able to predict the second 40 identification number in the manner indicated by the 

internal password and therefore will be unable to gain mam computer. The CPU then sends a handshake ac- 

access to the computer by tapping the telephone line. knowledgement to the main computer which may in- 

In order to compromise the system, an attacker must dude the second internal password, 

do two things: (?) CPU h* 5 toe cryptographic module 30 en- 

(1) Learn the personal identification string (name, 45 crypt data received from the terminal 10, and passes this 
PIN and/or password) of an authorized user (either by encrypted text to the modem 32 for transmission to the 
decrypting a first header or by extorting this informa- mam computer. 

tion from the authorized user); and 0°) The cpu receives encrypted data from the 

(2) Steal or otherwise gain access to a security unit. modem 32, has this data decrypted by the crypto- 
In particular, an attacker will be unable to gain access 50 graphic module 30 and passes the decrypted data to the 

to the main computer by merely knowing an authorized terminal 10. 

user's personal identification string (PIS) without using As may be seen, the CPU 22 merely executes routine 
the corresponding authorized security unit, or by using data handling functions in a repetitious manner. The 
an authorized security unit without knowing the corre- software for operating the CPU is accordingly straight- 
spending PIS of an authorized user. According to a 55 forward and relatively brief so that an average pro- 
preferred embodiment of the present invention, the grammer may produce such software in a reasonable 
personal identification string includes a "trap flag" time using only routine skill. 

which the authorized user can set when forced to dis- The hardware shown in FIG. 3 consists of "off the 

close the PIS to an attacker. This trap flag, when set, shelf* components with the exception of the password 

alerts the main computer that the PIS has been compro- 60 generator 28 and the cryptographic module 30. There- 

mised. fore these two elements deserve some further explana- 

FIG. 3 shows a preferred embodiment of the security tion. 
unit and modem 12. This equipment comprises a central The internal, automatic password generator 28 is 
processing unit (CPU) 22; a random access memory basically a pseudo-random number generator which, 
(RAM) 24; a read only memory (ROM) 26; a password 65 when incremented, produces the next number (pass- 
generator 28 and a cryptographic module 30. The CPU word) in sequence. The pseudo-random number string 
22 establishes communication with the main computer is, of course, known in advance to the main computer so 
through a modem 32 and controls the information flow that, given the current value of the string, the main 
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computer knows, in advance, what the next password high speed of the generalized rotor is not required and 

should be. it is desired to use standard encryption procedures, a 

Although any type of pseudo-random number gener- cryptographic module based upon the DES is capable 

ator would be suitable as the internal password genera- of high security. 

tor 28, FIGS. 4 and 3 give two examples of generators 5 Since the system key size is small with a typical, DES 

that may be used. The internal state of the password processor circuit (chip), multiple encryption is recom- 

generator should be resistant to analysis given a long mended so as to increase the cryptographic security 

series of passwords. FIG. 4 shows a memory (e.g., a against brute force assaults. This requires sequential 

ROM) or a pushdown stack 34 in which is stored a list processing of the plaintext through separate DES pro- 
of passwords Pi, Pi P3 . . . P/1. These passwords may be 10 cessors (each of which has its own key). In this case the 

permanently stored in the memory 34 or supplied, on keys for the transformations remain constant for each 

request, by the main computer. The passwords Pi, P2, block of text that is processed. It is preferable, however, 

P3, etc., are successively read out by an address pointer to use a system that uses a larger key size. Furthermore, 

which is incremented on command from the CPU 22. security would be further, increased if the working key 

Shift registers using the arithmatic operations of addi- 15 were to change during the course of encryption since an 

tion or exclusiye-ORing are well established procedures attacker would then be unable to test out trial solutions 

for generation of pseudo-random number strings. Such of one text block on other text blocks, 

a device is shown in FIG. 5. As may be seen, an 8-bit According to another aspect of the present invention, 

shift register 36 is used to produce an 8-bit password P/. a "duplex" DES-based scheme is provided which ful- 

This register is incremented by a pulse at input U I" from 20 Mils these requirements. The simplest version of this 

the CPU 22. When incremented, bits are passed to an scheme is a dual DES arrangement ia which a DES key 

adder 38 and to an exclusive ORgate 40 which supplies generator composed of a DES chip loaded with a key 

a new bit to the input of the shift register. and a starting text block is used to generate keys for a 

The circuit of FIG. 5 is only exemplary of a class of second DES encryption chip, as shown in FIG. 6. The 

pseudo-random number generators which are imple- 25 key generator performs sequential transformations of 

mented with a shift register. Although this example is the text block under action of the fixed key. The output 

implemented in base 2, the same procedure may be used of the key generator is adjusted for parity and used as 

for pseudo-random number generators for larger bases the encryption key for the second DES chip. The key 

(2 n ) of the type described by D. E. Knuth: The Art of for the system is composed of the key and starting block 

Computer Programming. Vol. 1, 2nd Ed., Chapter 3; 30 of the key generator unit Such an arrangement is analo- 

Addison-Wesley; Reading, Mass. (1981). Unfortunately, gous to pseudo-random generators utilizing the linear 

the linear nature of the pseudo-random sequences pro- congruential method. 

duced by such pseudo-random generators allows the The key generator generates a long period cycle of 
contents of the shift registers to be determined from a output blocks. A cycle is established as soon as an ear- 
small amount of generator output The use of non-linear 35 lier value is repeated. Since the DES mapping is appar- 
mixing operations makes the sequences harder to invert, ently random and is sensitive to a single bit change in 
but makes the mathematical analysis of the behavior of the input, we can estimate the average period on a statis- 
the system difficult or impossible to predict, and may tical basis. Since there are 2 W possible blocks and, on the 
decrease the period of the output sequence. average, each is equally likely, the expected period of 

The cryptographic module 30 may be implemented 40 the key generator is 2 63 blocks. A known plaintext at- 

by the generalized rotor system referred to above and tack on this system will yield the consecutive keys used 

disclosed in my co-pending U.S. patent application Ser. by the encryption chip. These keys are composed of 56 

No. 660,753, filed Oct 15, 1984 now abandoned. Such a bits of the 64 bit output blocks of the key generators, 

system is well suited for parallel processing and can Since it is known that the transformation key is kept 

perform the basic cryptographic operations on both 45 constant, the attacker must determine what input block 

stream ciphers as well as bit-complete block ciphers. and transformation key yield the known output block. 

The shift registers used to generate the rotor choice and The uncertainty in knowledge of the output block by a 

rotor offset values can run in parallel, putting their factor of 256 per block (due to the use of 1 bit per byte 

output into delay lines of variable length so that each as a parity bit) adds to the attacker's difficulties. The 

character is enciphered with the appropriate rotor vol- 50 uncertainty in knowledge of the output of the key gen? 

ues. While each rotor stage operates sequentially, all erator increases the search space to 2 m (2 M due to the 

these stages together process data in parallel,, resulting generator input block, 2 56 due to the generator key, and 

in a high throughput. Reference should be made to the 2 8 due to the uncertainty in the analyst's knowledge of 

aforementioned patent application for details of this the output of the key generator). This search space is 

implementation. 55 larger than the search space for the conventional double 

Alternatively, the cryptographic module 30 can be DES encryption procedure, 

implemented by any other suitable cryptographic algo- The system security can be increased significantly at 

rithm which offers the desired degree . of security. very little cost by increasing the size of the input text 

Strong cryptographic block transformations are non- block and selecting the transformation key from the text 

linear transformations where every bit of the output 60 block as well This is the case of the random operator 

depends upon every bit of the input as well as the cryp- shift register. Such a shift register is implemented with 

tographic key. A change of any one bit in the key or in a block of memory to contain the register contents, a 

the input block results in each bit of the output block processor to control the feedback connections and pro- 

independently having about a 50 percent chance that it cessing of the DES chip, and a DES chip to serve as a 

will change, with no predictable pattern in the changes. 65 nonlinear feedback element The output of the shift 

An example of such a mixing operation is the U.S. Gov- register is used as a variable key for the second DES 

ernments Data Encryption Standard (DES) which has chip which performs the enciphermcnt The memory 

now been implemented on integrated circuits. If the may be structured as blocks which are used as such or 
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as a series of bits from which the key and text blocks are Random operator shift registers can be expected to be 
read. excellent generators of pseudo-random number sequen- 
Consider the case where the memory is structured as ces. These sequences can be used directly, byte by byte, 
an array of k blocks (each block Is one block code for stream encryption by modulus addition or exclusive- 
length long) with taps at the I th and j rt blocks. The feed- 5 ORing. They can also be used block by block to provide 
back is determined by the DES transformation (ciper- an everchanging keystream to another DES chip which 
text block = DES [key, plaintext block]). The shift regis- processes the plaintext Since both chips would work in 
ter would be controlled by its feedback relation: parallel, the encryption speed would not be slowed 
biock(k) = DES[block(k — i), block(k— j)]. Such an ar- down, but the security of the system would be signifi- 
rangement is shown in FIG. 7. The contents of block(0) 10 cantly increased. An attacker would be forced to work 
through block(k— 1) constitute the system key. As the backwards, determining the sequential keys to the en- 
routine is used, sequentially higher values of k are used. cryption chip and from those keys, attempt to determine 
This procedure is easily implemented in hardware as the contents of the shift register— a very difficult task, 
well as software; it results in continually changing val- While random operator shift registers are not depen- 
ues of the "key" and "data" blocks being transformed. 15 dent upon hardware implementations of cryptographic 
After the routine has cycled through the array several transformations, high speed encryption and decryption 
times, each bit in the block is dependent upon the value operations will require hardware inlplementation of the 
of every bit of the initial contents of the register array. mixing operation. The DES system, while readily corn- 
Assume that the blocks are p bits long and that the mercially available, is not the only mixing transforma- 
keys are a set/subset of the block with a length of q bits, tion that may be used. The generalized rotor system is 
q< =p. Since cryptographic block transformations are also suitable for random operator shift register con- 
reversible and unique, each input block can map into 2? struction as a byte as well as a block operator. It is also 
distinct output blocks (as a result of the 2? keys). The well suited for high speed hardware implementation, 
probability that a given input block can map to a sped- ^ It is possible to construct arbitrary combinations of 
fied output block is 2^~P\ The probability of that par- such shift registers using block mixing chips as nonlin- 
ticular mapping is 2~*. The probability of obtaining a ear algebraic elements. The ready availability of the 
specified output block given a randomly chosen input DES chips and the ease of wiring them in parallel al- 
block and a randomly chosen key is 2~p. lows the construction of complex cryptographic sys- 
During iteration of the shift register each block is 3Q terns which are both fast and difficult to analyze. Unfor- 
used twice: once as an input block and once as a key, tunately, the complexity of the block mixing transfor- 
when q bits are used. The shift register will repeat itself mation used in the construction of these systems makes 
only when all the blocks in the shift register are the the prediction of their behavior virtually impossible. If 
same as they were at some earlier time. Since the chance it is necessary to use systems that can be theoretically 
of a given output block occurring is 2~p, the chance of 35 modeled, linear feedback shift registers may be mixed 
n consecutive specific blocks appearing is 2~ n P. This with such block transformations to hinder backward 
results in an expected period length of 2 n P analysis of the shift register contents, taking advantage 
blocks =2("+ 1 ^ bits, somewhat longer than the period of the nonuniqueness of the mixing when both the key 
of a maximal length linear feedback shift register with and the block are being mixed. Such a mixer is shown in 
np bits (=2^- 1). 40 FIG. 9. 

Further complexities can be introduced by reading In the arrangement of FIG. 9, the first DES chip 42 

the key and block to be transformed on a bit by bit basis which generates the key for the second DES chip 44 

from a memory block. In such a case the controlling mixes the contents of the shift registers At to A„ and the 

microprocessor would read in the appropriate number shift registers B\ to B„. It will be understood that the 

of bits for the key and transformation block from the 45 contents of these registers may be supplied sequentially 

appropriate locations in the register. If the register or in any arbitrary order. 

length is chosen to be relatively prime to the lengths of There has thus been shown and described a novel 

the key and block, analysis is made more complicated system for securing access to a computer facility which 

because of the steadily changing locations of the key fulfills all the objects and advantages sought therefor, 

and data blocks within the register. Such a process 50 Many changes, modifications, variations and other uses 

effectively increases the period by the product of the and applications of the subject invention will, however, 

lengths of the register, the key block, and the transfer- become apparent to those skilled in the art after consid- 

mation block (with common factors only appearing ering this specification and the accompanying drawings 

once). which disclose preferred embodiments thereof. All such 

More particularly, the key length of the DES is 7 55 changes, modifications, variations and other uses and 

bytes while the block length is 8 bytes. If the length of applications which do not depart from the spirit and 

the shift register is chosen to be relatively prime to the scope of the invention are deemed to be.covered by the 

key length (7 bytes) and block length (8 bytes) and if, invention which is limited only by the claims which 

after each operation of the DES chip, the key and text follow, 

blocks are incremented by their respective lengths, the 60 What is claimed is: 

feedback within the shift register is made much more X. Apparatus for generating an essentially non-invert- 
complex and hard to analyze. A schematic of this ar- able stream of pseudo-random blocks via a mixer of 
rangement is shown in FIGS. 8A and 8B. pseudo-random sequences, the mixer comprising: 

Inversion of the output of such random operator shift first means comprising a first plurality of pseudo-ran- 

registers will be very difficult because of the multiplic- 65 dom sequence generators for supplying successive 

ity of potential mappings that are available for each pseudo-random block sequences each block from a 

output block of the sequence and the complex mixings successive one of the pseudo-random sequence 

that occur within the shift register. generators as successive encryption key blocks; 
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second means comprising a second plurality of pseu- 
do-random sequence generators for supplying suc- 
cessive pseudo-random block sequences each block 
from a successive one of the pseudo-random se- 
quence generators as successive input blocks; 

first means for switching from one pseudo-random 
sequence generator to another one in said first 
plurality to obtain new values for the next encryp- 
tion key block; 

second means for switching from one pseudo-random 
sequence generator to the next one in said second 
plurality to obtain new values for the next input 
block; said second means for switching and said 
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means for mixing each encryption key and each input 
block utilizing a cryptographic block code accord- 
ing to the Data Encryption Standard (DES) algo- 
rithm; where each encryption key block is supplied 
by said first means for switching and each input 
block is supplied by said second means for switch- 
ing; and m 

means for butputting the resulting output block to 
provide the essentially non-invertable stream of 
pseudo-random blocks. 
2. Apparatus for generating an essentially non-invert- 
able stream of pseudo-random blocks according to 
claim I* wherein said first means provides blocks of 
fifty-six bits each and said second means provides 



first means for switching operating synchronously 

so that each new input block has a corresponding 15 blocks of sixty-four bits each, 
new encryption key block; • . * • 
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